Happy Birthday to OpenSolaris! It's now two years old. See this great blog entry by Jim Grisanzio on how far the project and community have come.
Happy Birthday to OpenSolaris! It's now two years old. See this great blog entry by Jim Grisanzio on how far the project and community have come.
Sun has a number of great upcoming events surrounding the open source development model and benefits that customers, system integrators and end users can derive from open source products.
Sun is the leading commercial provider of open source technology in the world today. Unlike many of our competitors (Microsoft, HP, IBM and Apple come to mind) Sun has completely open sourced a wide variety of our most strategic technologies including:
As a Sun Federal employee who works closely with the US DoD, I can tell you that the DoD believes strongly in an open source development model. In a paper written by the Office of the Secretary of Defense, they list three of their primary goals to be:
They also make note of OpenSolaris and quote Scott McNealy as saying:
You learn to share in preschool. Later you learn that if you make the pie
bigger, everyone gets a little more. These lessons came together
when we started Sun. We didn't have the resources to do
everything ourselves, so we shared what we had to attract
customers and get their help in building the business. There are
now 4.5 million Java developers and about 950 companies
worldwide all collaborating on a technology Sun shared with the
community.This is possible because sharing creates communities, which create
new markets. It's also changing business models: Companies can
no longer expect to lock in customers with proprietary standards.
They must now compete on the value of their business execution.
They monetize that value a little bit, spread over the entire
community. With 1 billion people on the network today, and several
million more joining every week, there's a lot of opportunity. So
while it may seem counterintuitive for a company to share, it's the
key to larger economic growth ― not only for Sun, but also for
everyone in the world.”
As an example, the US Joint Forces Command (JFCOM) has started a project based upon OpenOffice (the baseline for Sun's StarOffice product). Using OpenOffice as a base, they are building a "Security Enhanced Office Automation suite." Apparently they are unwilling or unable to do this using Microsoft's "Shared Source" agreement.
Some of JFCOM's stated benefits from using open source include:
My customer, Defense Information Systems Agency (DISA), is moving toward adopting Solaris 10 in their mission critical Command and Control applications as well as their data processing centers. The fact that it is based upon the OpenSolaris project is viewed as postive by them.
If you would like to learn more about Sun's efforts in the open source communities, please visit OpenYourMindToday.com and sign up for the next two events:
Why should you care?
Using open source technologies can provide faster time to market, lower cost and reduced risk of vendor lock-in. Sun's product portfolio is based largely on open sourced technologies.
Sun Microsystems, Inc. the creator of Java technology and Solaris, today highlighted three industry leading products -- Sun Fire X4200, Sun Fire X4600 and NetBeans Integrated Development Environment 5.5 -- as recipients of Technology of the Year Awards by InfoWorld. Garnering top honors from the InfoWorld Test Center, Sun is honored with prestigious titles: Best Server, Best High-Performance Server and Java IDE Innovator.
The X4200 and X4600 support the operations of the open source Solaris 10 OS as well as Microsoft Windows 2003 server, Red Hat and Suse. Netbeans runs on a variety of platforms including Solaris, Windows, Linux and MacOS.
Click the link above for the entire article.
As a longtime Mac user (and someone who is 100% Microsoft free at home and work) it's important to me to be able to have a common user interface as I move from home to work. When Sun first introduced Gnome in Solaris this caused a problem because the look and feel was too much like windows for my taste and after years of MacOS and CDE usage it was really annoying to close a window in the upper right corner instead of upper left where God and Steve Jobs intended the close box to be.
I use this setup on my Solaris 10 based Sun Ray ultra-thin client at the office as well as my Acer Ferrari 3400 laptop.
Thanks to some Gnome theme hackers, I can now have a MacOS look and
feel with window widgets where they belong. Get the theme and
icons at: http://www.gnome-look.org/content/show.php?content=13548
Don't forget the most important step:
Why should you care?
If you are a MacOS and Solaris user, this will maximize your productivity by providing a more familiar user interaction. I also enjoy the confused looks I get when I open up my hot, red Ferrari laptop, boot Solaris and login to a Mac like desktop.
I have it on good authority (from Sun Federal COO Bill Vass) that Solaris 10 03/05 has completed its Common Criteria evaluation. It will take us a while to issue a formal press release, but the evaluation is complete. This evaluation was at EAL 4+ using the Controlled Access Protection Profile (CAPP) and the Role Based Access Control PP. The process has taken over a year and cost a significant bundle of cash. Solaris 10 with Solaris Trusted Extensions (found in the 11/06 update) is current under evaluation with the addition of the Labeled Security PP and should complete next year.
Congratulations and thanks to Sun's evaluation team including Jane Medefesser, Vanessa Kong, and Linda Gallops.
A little history.....
A long, long time ago (back in the 1980s) the NSA created a program known as the Trusted Computer System Evaluation Criteria (TCSEC). As an employee of Gould Computer Systems (RIP!) at that time, I know that Gould's UTX-32 OS was the first commercial Unix to receive a TCSEC C2 evaluation by the NSA. Gould sold about 5 copies of that OS after spending millions of dollars to complete the process. The UK had an equivalent program known as ITSEC. The TCSEC labeled OSes using a letter/number scheme still referred to by some today:
There were two major problems with the NSA system.
As a result, the Common Criteria process was established and a number of countries agreed to abide by it.
What is a CC Evaluation?
The
Common Criteria is an international set of standards for evaluating
software products against a set of requirements. There are
two parts to a CC designation; Evaluation Assurance Level and
Protection Profile (more info)
Evaluation Assurance Level
The EAL designates the level of rigor that was applied to an evaluation. Levels range from 1-7 and are defined as:
At this time, EAL4 is the highest level that can be transferred from one country to another.
Protection Profile
A protection profile defines the technical functions required to be evaluated. For example, the Controlled Accesss Protection Profile includes requirements for (among others):
There are a variety of protection profiles for product classes including OS, Database, Firewall, Encryption etc. It is also possible to get a CC Evaluation without a protection profile although the usefulness of such a thing is debatable.
Other protection profiles that apply to Solaris include:
Who cares about Common Criteria.
The US Federal Goverment and Department of Defense have a variety of policies (FISMA and DoD Directive 8500.2) dictating that CC evaluated products should be use where they exist and are preferred over non-evaluated products. As a result, nearly all purchases by the US government require that an OS be evaluated or at least in the evaluation process. Sun has a long history of evaluated Solaris OS versions over the last 10 years.
As an engineer at Sun with many years of DoD customer experience, I'm frequently asked a number of questions about the interpretation of the CC requirements in the DoD (see the questions in the comments section):
Can I use a Solaris update that's different than the certified version?
Strickly speaking, any change that you make to the certified baseline (platform, version, patches) means you are running an "uncertified configuration." This doesn't make you less secure. Strict conformance to this policy would seriously prevent you from running the latest Solaris version or taking advantage of the latest hardware.
What is the US DoD policy on using later Solaris updates?
While I can't speak for the government, I can relate my direct conversations with officials at the Defense Information Systems Agency (DISA) who create and enforce these policies. I have been told that a CC evaluation is a "Checkbox" activity that is NOT the most important item in a security accreditation. The fact that a more recent update of Solaris has not been certified directly should not prevent you from using it. However, if the update has a new security feature that has not been evaluated and you are planning to use that feature, it may be more difficult to get your system accredited. DoD customers should work directly with DISA in this area. There is a help desk available at the DISA Field Security Office
What about commercial customers?
Each customer has their own policy. Some simply require that a product be "in evaluation." Others require that some version of the product has been certified. Work with your customer's security office to determine their policy.
What does DoD Directive 8500.2 say about CC?
Feel free to read it, however, to paraphrase section E3.2.5: If there is a certified product, you must use it. If there is no product that's certified, it should be "in evaluation." If there is no product in evaluation, a commitment from the vendor to evaluate should be made before you buy. If there is no defined protection profile for a product class (eg. VMware), the vendor should create a security target and have it evaluated.
If the process was not designed to actually detect software bugs or vulnerabilities in an OS, then what does it check?
This question emphasizes the current disappointment that DoD officials have with the process. They are paying extra money for evaluated products but not necessarily getting better products because of the evaluation process. The process is designed to ensure that a product behaves as documented but it is NOT a source code scrub for buffer overflows, coding errors or other issues (The fact that MS Windows products are evaluated at EAL4 should make this point painfully obvious!).
Does every product need to be CC evaluated?
The DoD directive refers only to "IA products, and IA-enabled IT products." They define IA-enabled product as "Product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such products as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems." By this definition a product like StarOffice is NOT IA-enabled, however, a web portal or identity management systems is IA-enabled in my opinion. Some would say, "If it asks for a username and password, it's IA-enabled."
What is NIAP and who does the evaluations?
NIAP is the National Information Assurance Partnership between NIST and NSA. They control the CC program in the U.S. An evaluation is done by an independent commercial laboratory known as a commercial licensed evaluation facility or CLEF. Sun's evaluation was done by a Canadian CLEF.
What's wrong with the current Common Criteria process?
Although the current process is somewhat better than the old NSA process, it still leaves something to be desired. I have heard it stated in public forums by DoD employees that the CC process does not meet all Government's goals. Current problems include:
What is the difference between a CC evaluation and a site accreditation?
Products
are CC evaluated, sites and solutions are accredited. For
example, a particular site may take a number of CC evaluated products,
install them on computers, connect to different classifications of
network and put the whole solution in a particular building. An
accreditation ensures that all these steps were followed with security
in mind and that the products, policies, people and procedures meet the
security requirements of the mission. An accounting system
has different requirements than a warfighting or intelligence gathering
system and the accreditations will vary for each even if they use the
same products.
Why should you care?
CC evaluations provide an assurance that a product has been documented properly and behaves in accordance with its documentation. It is an external, third party audit of a product that provides a higher level of assurance on the capabilities of the delivered product. Sun takes our responsibility for security very seriously and our goal is to ensure that Solaris is the preferred platform for Federal mission critical systems.
Sun has a long history of evaluated versions of Solaris including 2.5.1, 2.6, 8, 9, 10 and various Trusted Solaris versions.
CC evaluated products are preferred by most US Federal and DoD procurements.